WordPress Plugin Vulnerabilities

Infility Global < 2.15.19 - Subscriber+ SQL Injection via order Parameter

Description

The plugin does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.

Proof of Concept

Affects Plugins

Fixed in 2.15.19

References

YouTube Video

Classification

Type
SQLI
OWASP top 10
CWE
CVSS

Miscellaneous

Original Researcher
TRAN THE LONG
Submitter
TRAN THE LONG
Verified
Yes

Timeline

Publicly Published
2026-06-02 (about 1 month ago)
Added
2026-06-02 (about 1 month ago)
Last Updated
2026-07-09 (about 4 days ago)

Other